If you look on LinkedIn you will find a thread of approaching six hundred comments, observations and opinions on this very question. some are informative, some are thoughtful, some are well reasoned, some are simply votes for one interpretation or another and some are nonsense.

I have trouble wondering why the question seems so important and why people can't simply work out what to do when there is an apparent need to rest someone's password. If you work out what to do, the nature of your solution may well fall under the general shape of an incident or a service request or something else or merely a process for resetting passwords. In terms of relative importance it is about 4,567 times more important to understand how to deal with a password reset request than to understand whether it is an incident or something else.

[the words I've wasted stating the utterly obvious on this topic!]

[still, let's go on]

If you define what an incident is and what a service request is and what a change is, etc., then you will be able to see what lies within their respective scopes. What is to be gained by doing it the other way round?_________________"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718

I would write a procedure for resetting passwords that took into account the issue of security and catered for the need to know if there is an underlying problem related to the frequency of requests or the particular applications or particular segments of the user community and ensured that it was always done expeditiously. All these factors would continue to be catered for if the process was automated.

This caters for whatever reason it is being reset, including to do with some over-arching change or as part of incident resolution. If the source is a user request to the service desk, I would not mark it as an incident (because, although there is a logical case to be made) it is not like most incidents and its frequency in large organizations distorts the overall incident statistics unnecessarily. Whether I would classify it as a service request would very much depend on how the organization perceived that context. I would certainly class it as a password reset request and I think that would be sufficient.

I never try to squeeze things into ITIL definitions if that is not their natural home, because ITIL is not a universal framework; nor need it be.

I hope you will find this consistent with what I have said on LinkedIn because I'm not going to check it._________________"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718